Can You Crack an Unpowered Computer?

One of the things I’ve always believed to be true about computer security is this statement:

The only unhackable computer is a computer that’s powered-down.

I always thought that a good, simple way to make your company a whole lot safer would be to simply power down every workstation and server at the end of the day (if this is feasible — usually it’s not). If you do this, then there are about 15 hours in the day when the machines can’t be touched, including the overnight hours which I’m sure are a cracker’s paradise.

But I got to thinking about this the other day: given the advances in cracking, is this still true? Or is there some way to remotely compromise a machine that’s unpowered? Alternately, is there a way to power up a machine remotely and involuntarily?

For instance, a lot of machines with modems can be set to boot when the phone line attached to the modem rings. So if you knew the phone number of a machine you wanted to crack, you could call it, and force it to power up.

Can anyone think of other situations where a cracker could compromise a machine that had no power? Is shutting off a computer still the single, uncircumventable security measure? Can I still cling to my theory?

Looking for a clear, unbiased view of web content management?Web Content Management: Systems, Features, and Best Practices explores the systems, technologies, and platforms within web content management, giving you the knowledge you need to solve the right problems.

Comments

If you’re just powering it down (and not physically disconnecting the power), then a super-sophisticated attacker could theoretically send Wake-on-LAN signals to the machine to activate it, but that would mean that the attacker would have to already know the MAC address of the machine by some other means (firewall logs perhaps?).

If you’re after time-based security, it would be smarter to power down the router every night instead of the workstations. Of course, since everything is still vulnerable during the day, this provides little true security, which is why you don’t see many places doing it.

Of course, since everything is still vulnerable during the day, this provides little true security

Yes, but you’re making everything invulnerable for 63% of the day (they’re off for 15 hours out of 24).

If someone is trying to attack you specifically, they’ll just do it during the day. But if someone is just randomly cruising for a network to crack, then only being available for one-third the time strikes me as better than the alternative.

I’m not too savvy on this topic, but could the proposed electrical outlet-based connections shift that theory? If the unit is powered down, but still plugged in, then it would be quite vulnerable through the AC socket…

Theres also the wake-on-usb option on modern motherboards, mine does it, the computer is essentially powered down, but can be turned on via usb, what if your router (like mine) was usb? altough i always turn the power off at the plug, no chance!